How To Protect Your Ubuntu Server From Brute-force Bot Attacks

In my previous article I have explained how to protect the WordPress sites from brute-force bot attacks. In this article, lets see how to protect the Ubuntu servers from brute-force bot attacks.

When our blogs were running in a shared hosting environment, these issues were handled by the hosting company. After we moved to dedicated servers, protecting the servers became our responsibility.

Bot Attacks

Sometime back while I was checking the authentication logs (located at /var/log/auth.log), I noticed that there were more than 54K login attempts for the user “root” and another 42K login attempts with random user names.

The count was bit surprising and the majority of the requests were coming from IP address pointing to China. This bot attacks forced me to look for options to secure the servers. Herewith I am sharing my findings and some basic steps that can help you to keep the bots at bay.

1. Change SSH Port from 22 to something else

Majority of the brute-force bot attacks are targeted towards port 22 and changing the ssh port number from 22 to some other port is the easiest step to stop these bots. To change the port of ssh, edit the file /etc/ssh/sshd_config and change the line “Port 22” to “Port 20202” or any other number.

2. Enable firewall

The next step is to stop all ports other than the ones that are required. In most scenarios the bellow steps would be more than enough for any web application.

sudo -i # Switch to elevated privilege. Add sudo to every line, if you are not executing this line
apt install ufw # Install firewall, if you haven't installed it yet
ufw default deny incoming # Block all incoming request. 
ufw default allow outgoing # Allow all outgoing. This is required for curl, wget etc
ufw allow 22 # Default ssh port. Change the port number if have you have changed ssh port based on previous step
ufw allow http # For port 80
ufw allow https # For port 443
ufw enable # To enable firewall 
exit # To switch back to original context.

2. Disable password login for root

Before disabling password based authentication for “root” account, you have to ensure that you have other alternative options to login into the server else you would be locked out of your own server. First step is to enable ssh key based authentication for root account.

Refer my earlier article here for more details on how to enable ssh key based authentication. Although that article is for SUSE, it works for all linux variants.

Make the bellow changes to the file /etc/ssh/sshd_config to disable “root” account from accessing the server with password
1. Change PermitRootLogin yes to PermitRootLogin without-password
2. Change UsePAM no to UsePAM yes
3. Change ChallengeResponseAuthentication yes to ChallengeResponseAuthentication no

3. User alternate account with sudo permission

Instead of using the root account for login into the system, you can also completely block “root” account from logging in by creating a new user account and assign sudo privileges to that user by changing the configuration to PermitRootLogin no in the file /etc/ssh/sshd_config.

To create a new user named “thor”, follow the bellow steps.

adduser thor # Create new user with id thor. Follow the steps and provide the password for this user. 
usedmod -aG sudo thor # Add the user thor to sudo group

Log out from the system and try login with the new account that you have created to ensure that you were able to login with the new account or login with ssh key for “root” account.

4. Keep your server and packages up-to date

This is one thing people often tend to forget or they don’t take it seriously. Ensure that you upgrade the Ubuntu Server and update the packages periodically by executing the bellow command to protect your servers from security threats and vulnerabilities.

sudo apt-get update
sudo apt-get upgrade

To upgrade Ubuntu, execute the command sudo do-release-upgrade. This would take more time to complete depending upon your network connection and machine configuration.